DBSA:2014-0013

From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - CNET: A Significant Security Risk

Keywords: CNET, Compromised, Advertisements, download.com, cnet.com

DBSA ID: 2014-0013

Regarding: CNET: A Significant Security Risk

Writeup: Kradorex Xeron (talk) 01:45, 16 July 2014 (EDT)

Date: 2014 07 16

Last Modified: 20140716011804 by Kradorex Xeron

Who should take note: All Internet users, especially users of download.com and cnet.com.

Classification

Priority: HIGH

Rationale: Continued use of the services could leave information unsecured and, with recent events, leave user information potentially vulnerable to misuse.

Severity: HIGH

Rationale: The service deploys deceptive methodologies along with leaving user information at risk.

Spread of Issue: MULTI-PLATFORM MODERATE

Rationale: Sites like download.com are popular services and are accessed by users utilizing multiple platforms.

Description

CNET is a web services operator that is currently owned and governed by CBS Interactive. It hosts services such as download.com and cnet.com, the latter of which provides reviews of technology products, videos, as well as forums among other services. Over the past several years, it has been observed that CNET has taken an increasing risk to security management and the privacy of its users.

Noteworthy issues include:

  • CNET was purchased by CBS Interactive, which is an entertainment company with significant interest in marketing and advertisement, where users may be exposed to having user data lifted for marketing and/or tracking purposes.
  • Providing download.com downloads packaged with adware among other malware that would not be provided given an package not provided through the service, users allegedly may opt out but the option hasn't been sufficiently visible.
  • Permitting deceptive advertisements to be placed with download-style buttons to lure users to unnecessary software packages or diverting users to advertisers.

Recently, it has been noted that at minimum the user database containing usernames, passwords and emails was compromised using a vulnerability of the in-house version of a software package called 'Symfony PHP framework' that site deploys. (see reference).

Unregistered users are at minimal risk with the recent compromise.

Mitigation/Solution

It is advised that users avoid downloading software from download.com and seek more direct downloads from software vendors where possible. Further, it is strongly advised users evaluate what information they may have supplied CNET and to act accordingly to ensure other sites and resources may not be abused with compromised information.

Users are advised against continued use of the site. However, provided no registrations are performed and one is utilizing sufficient ad blocking software, possibly with javascript disabled, one may access resources provided by the site for informative purposes only. Though again it is advised against more than casual use of the site.

References